Podcasts
Everest
Active Since
December 2020
Known Forum Aliases
N/A
Active Forum Accounts
N/A
Everest has been around since at least 2020, making it one of the oldest ransomware operations still active after LockBit and Cl0p.
Initially using the now-popular technique of double extortion – encrypting a victim’s data in addition to stealing and threatening to publish it on its dark web leaks site – Everest has claimed in recent years to eschew ransomware and engage in data extortion-only attacks. The gang has also been observed moonlighting as an initial access broker, providing unauthorized corporate network access to other threat actors for a fee.
Related Content
Videos
How can you identify ransomware operators targeting you on the dark web?
The Dark Web Hub
Vice Society [offline]
Vice Society stopped posting victims to its dark web leak site in June 2023 and went offline in December. Some security analysts note similarities in the TTPs of Vice Society and those used by Rhysida.
The Dark Web Hub
LockBit
LockBit was the most active ransomware group by number of listed victims on its dark web leak site in 2022 and 2023. In February 2024 its leak site was seized in Operation Cronos.
The Dark Web Hub
Cl0p
Cl0p is notable for its approach of using vulnerabilities in supply chain software to target multiple organizations, announcing them in a batch at a later date.
The Dark Web Hub
Akira
Akira appears to be a novel ransomware, written in C++, with versions targeted both at Windows machines and Linux operating systems. It has quickly become one of the most prolific ransomware groups.
The Dark Web Hub
BlackCat [offline]
The RaaS group BlackCat (also known as ALPHV or Noberus) is believed to include developers and money launderers from the former DarkSide ransomware group, most infamous for the Colonial Pipeline attack.
